ScreenShot
| Created | 2021.08.03 14:16 | Machine | s1_win7_x6402 |
| Filename | BIO.dotm | ||
| Type | Microsoft Word 2007+ | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 3a4eade28ea08955d0bb0b271ae55e64 | ||
| sha256 | 5294f69209dca3b96cc506e8582ceac979a95f64587851615f103250ca2a0bbd | ||
| ssdeep | 384:nSk68Qz51Jm+bujj7mEXaxuCzSB00bF8jnMYNYnrEYhhXx1Df8BkITtZr+B3cH:SEQzLJm+buPKEKQ2s8jMYYthtfsReu | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Word document hooks document open |
| notice | Yara rule detected in process memory |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (download) |
| warning | Contains_VBA_macro_code | Detect a MS Office document with embedded VBA macro code [binaries] | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (4cnts) ?
Suricata ids
ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M1
ET INFO PowerShell DownloadString Command Common In Powershell Stagers
ET INFO PowerShell DownloadString Command Common In Powershell Stagers